When is a phish not a phish?

The correct answer apparently is when it's a legitimate business email, sent from an associate or affiliate, that just tastes, smells and rots in your inbox like a dead phish.  Let's take a little quiz:

1. You receive an email, purporting to be from your home alarm company, asking you to call them to "verify account information." Should you:
1. Call that number immediately, just in case they shut down your alarm system
2. Run in circles
3. Laugh at the silly phisher and his or her laughably poor attempt at fooling you. 
2. You look at the email headers for the incoming request and note that the IP address and the domain have no apparent link to your alarm company at all. Should you:
1. Assume that it's just something odd going on with the Internet, and resume calling the number provided?
2. Call the FBI, Secret Service and Homeland Security to alert them to this clever ruse?
3. Laugh even harder at the silly phisher and his  or her inept handling of email headers and cloaking techniques.
3. You look up every known and available phone number for your alarm company, listed on the web site and elsewhere and see that the phone number in the email does not match anything listed for them. Should you:
1. Call the number immediately and tell them they need to update their web site?
2. Assume they just typed in in wrong, but they still need to talk to you?
3. Add up information gleaned from #s 1 and 2 above, delete the email  - smug in the knowledge that you've outwitted yet another silly phish?

I did none of the above, expecting that there was something stupider to blame, and it turns out I was correct. I looked up a legit number for my alarm company and called them (resisting the urge to tell them I was "alarmed") to see what might be up. I figured that if their customers were getting phished, they would want to know about it. As it turns out, it was a legitimate email, originated from their marketing dept. So, even though they claim (and somehow still insist) that they never share my information with any third party, somehow an email to me, originating from a 3rd party wound up in my mailbox, asking me to call. The phone number (which seems to be used for other campaigns as well, according to the Internet hits it receives) does in-fact go eventually to my alarm company. 

The horrifying thing is, it's not the first time it's happened to me. I'll admit I may scrutinize the odd stuff that lands in my mailbox a bit more than someone with a different profession, but that's actually also the point. If corporate default is to not-so-seamlessly use third parties to (for goodness sake) ask for ACCOUNT VERIFICATION. How is the average person supposed to see the difference between phishing emails and swimming scaly finny emails that breath with gills, but are somehow really legitimate?

Really, I've been seeing this kind of thing for years, dating back to the first time someone asked me if it would be OK to give a third party an server SSL cert for the company, to "make the customer experience more seamless." My response at the time was something along the lines of "Yes, you've seamlessly fooled your customer into believing that they are still dealing with you, and not some nameless vendor of yours. When the lawsuits come, just imagine me saying I told you so, but refrain from calling me..." Honestly, I thought explaining to my customer that handing someone else your server cert was equivalent to lying to their own customers would have a more interesting and corrective effect. I'm older now and realize that PR and marketing folks see lying to customers as the only proper interaction.